May sees new detections, Trojan.JS.Generic, written in Java Script and Worm.Win32.Vobfus.dla, written in Visual Basic. Worm.Win32.Vobfus.dla allows attackers to install additional malware on the infected computer. It spreads via network and removable drives, saving autorun.inf to the root folder of the infected drive. autorun.inf will launch the worm's executable file each time Explorer is used to open the infected drive.

Virus.Win32.Neshta.a has been discussed previously in a Lavasoft whitepaper published in March 2012 and information about Win32.Backdoor.Inject can be found in a whitepaper published in January 2013.

New Incomings to the Lab

Let’s review and consider information on the number of unique files with the same detection name.

Using this technique, attackers can redirect a user to malicious websites containing exploits to execute arbitrary code on the target system.

Trojan.Win32.Qhosts.bf, written in Delphi, is designed to modify the "%System%\drivers\etc\hosts" file used to convert domain names (DNS) to IP addresses. Trojan.Win32.Qhosts.bf writes the following strings to the "hosts" file:

Opening any of the URLs mentioned above redirects all user requests to 94.249.189.25.

The Trojan extracts the file "rasstavanie.bat", two Visual Basic script files "eto.vbs" and "naverno.vbs" and "ruoshka.txt" and "mainlol.txt" files containing service information which are saved to the Program Files folder.

%Program Files%\akvi\kavi\

Command interpreter script is intended to modify the "%System%\drivers\etc\hosts" file:

Rasstavanie.bat batch file fragment

The VBS "naverno.vbs" malicious script is used to set a hidden attribute on the "%System%\drivers\etc\hosts" file. The "eto.vbs" script is used to send an HTTP GET request to the following URL:

http://94.249.188.143:9007/stat/tuk/210

When manually removing this Trojan, the following folder must be removed:

Attackers often use this technique to block access to Internet resources or redirect users to phishing pages to steal information. If you suspect this happening, check the "hosts" file for unusual or suspicious entries.

Ransom Trojans continue to be highly prevalent threats that are frequently analysed by our automated malware analysis systems. Information on how to manually delete these threats can be found here.

Ransomware: Example 1

Ransomware (MD5: a8c05e37d057fad41dd07be3b46a8c3b) is detected by Ad-Aware as Trojan.Win32.Generic!BT

It is a dynamic library (DLL). After activation, it copies itself with a randomly generated name to the ‘all users’ Application Data folder:

%Documents and Settings%\All Users\%AppData%\1doqet.dat

The Trojan creates a link to itself in the current user's autorun Windows folder, with the "msconfig.lnk", which will launch the Trojan when the user logs in to Windows:

The HTML-page blocking the computer performance is located in Netherlands:

In May, our automated malware analysis system also revealed new fake antiviruses which did not make it into the Top 20. Be cautious of this common scam - the threats detected by these programs do not exist on your PC! You can see what a common fake AV infection procedure looks like on Lavasoft’s Facebook page.

Fake AV (MD5: 984539c28d5c916be994c5eda5829be1) is detected by Ad-Aware as FraudTool.Win32.FakeRean

Fake AV (MD5: 7d7274a1cae4fc938ae4921ea74e7254) is detected by Ad-Aware as FraudTool.Win32.FakeRean.e

Fake AV (MD5: e5a17537734661574a839584398b85c8) is detected by Ad-Aware as Trojan.Win32.FakeAV.gbd

Fake AV (MD5: f6d881ab2eac9a7a399586b655cc895e) is detected by Ad-Aware as Trojan.Win32.Generic!BT

All threats described above are successfully detected by Ad-Aware Antivirus. Never pay a fee to attackers!

Update Windows to Avoid Vulnerability Exploits

At the beginning of May, a new exploit was detected on the Department of Labor’s (DoL) official web site. The exploit took advantage of a vulnerability in Internet Explorer 8. A “use-after-free” condition occurred when a CGenericElement object was freed, but a reference was kept on the Document and used again during rendering. Successful exploitation could allow an attacker to exploit this vulnerability and execute arbitrary code on the affected system.

According to the Net Applications statisctics, 23% of Internet Explorer 8 users were the group most at risk, while all Windows XP SP3 users may have been exposed to potential risks. We suppose that an attacker could perform the following actions on the affected system:

Below are the Top20 Potentially Unwanted Programs blocked by Ad-Aware on user’s PCs. These are advertising software, browser toolbars, search engines and other programs which change browser start pages and other system settings.

Position

Ad-Aware detection

% of all threats

Change in ranking

1

Adware.Linkury

22.92%

+4.74%

2

MyWebSearch

19.28%

-3.33%

3

Win32.Toolbar.Iminent

18.33%

+8.7%

4

Win32.PUP.Bandoo

6.32%

+0.76%

5

SweetIM

4.41%

-1.14%

6

Bprotector

3.20%

-1.26%

7

Yontoo

2.46%

+0.19%

8

Babylon

1.60%

+0.11%

9

DomaIQ

1.55%

+0.4%

10

Wajam

1.50%

-0.86%

11

DownloadMR

1.35%

0.00%

12

InstallBrain

1.20%

-0.2%

13

Artua Vladislav

1.12%

-0.28%

14

GamePlayLabs

1.08%

-0.09%

15

Win32.Adware.ShopAtHome

0.96%

-0.14%

16

Bundlore

0.69%

new

17

CoolMirage Ltd

0.69%

-0.66%

18

Win32.Toolbar.Mediabar

0.68%

new

19

BetterInstaller

0.59%

-0.51%

20

Optimum Installer

0.58%

new

Top20 PUPs detected on user’s PC

Operating Systems

Infections by OS

Geographic Location

Infections by country of origin

We will keep investigating the epidemiological situation in the world and informing our readers about new malicious code samples in the next Lavasoft Security Bulletin.